By Dan Schell, Editorial Director, Life Science Leader
Among the multitude of risks that pharma and biotech executives sweat over every day, those related to data integrity have risen to the top of the list in recent years. Barbara Unger, a veteran consultant of auditing and regulatory intelligence, notes that nearly 80 percent of data-integrity-related warning letters issued since 2008 occurred between 2015 and 2018. Furthermore, in 2018 57 percent of all the FDA’s warning letters were issued to drug companies for failing to meet data-integrity standards. In a recent column by Unger in Pharmaceutical Online, “An Analysis of 2018 FDA Warning Letters Citing Data-Integrity Failures,” she says, “The FDA has not implemented novel interpretations or requirements applicable to data governance. The use of computer systems and other electronic systems requires different approaches to ensure compliant practices, but these are all based on the existing regulations in 21 CFR 211.”
A warning letter is often just the tip of the iceberg when it comes to the repercussions of a data-integrity failure; product recalls, fines, and a drop in stock price often follow. Take, for example, last year’s case of Fresenius SE canceling its $4.3 billion buyout of drugmaker Akorn Inc. The Fresenius team claims that Akorn did not have sufficient controls in place to ensure the reliability and validity of data gathered during process development for one drug product. The company contends false or altered data from a computer system with little security was submitted by Akorn officials to the FDA as part of the NDA. After a judge ruled that Fresenius was justified in canceling the buyout, Akorn’s shares dropped 59 percent.
Often, data-integrity failures can be attributed to disparate data/IT systems and a heavy reliance on spreadsheets and paper batch records — at least prior to product approval. Additionally, during the past decade, pricing pressures and a reallocation of capital investment from facilities to R&D have led to a significant reliance on outsourcing for product development and manufacturing. But the financial advantages of working with an external partner came with a corresponding amount of risk — especially as it relates to data.
THE CHALLENGE OF DATA INTEGRITY WITH CDMOS
Everyone knows Big Data has exploded — and will continue to grow — in the pharma and biotech industries. It’s also common knowledge that many legacy supply agreements (e.g., with CDMOs) may not stipulate the level of data transparency required by regulators and GMP guidelines.
Yet, even when agreements are well-drafted, according to Robert Di Scipio, CEO of informatics software company Skyland Analytics, “Many large and small CDMOs don’t have digital data-management systems that can provide secure, compliant data sharing with their sponsor customers. Many companies still manually extract, manage, and share data with spreadsheets, which are prone to errors and impede timely views/analysis by the broader teams in the supply chain.” In addition, he says that even if digital systems are in place, most are not designed to meet the specialized analytical, reporting, and data transparency requirements of global manufacturing networks that span companies and geographies. A lack of data transparency can result in:
- lack of process oversight (See FDA Data Integrity and Compliance with Drug cGMP: Questions and Answers Guidance for Industry [U.S. FDA, December 2018])
- loss of process IP
- difficulty when transferring the process to internal facility or third-party
- operational inefficiencies such as waste, long cycle times, low yields, minimal throughput, extended time-to-market (and revenue), and diminished margins
- cost to the business P&L and reputation: product recalls, material supply shortages, disruptive M&A activities, decreased valuation, failed audits, and lawsuits.
WHAT STEPS TO TAKE
The following items should be addressed to establish an understanding and mitigation of enterprise risks as they pertain to data integrity:
- Review internal product and process data systems to confirm data integrity and reliability (e.g., via an audit, determine if GMP rules are being followed, if systems are validatable, and what best practices have been implemented).
- Review quality and supply agreements with CDMOs to ensure data transparency and ownership, process control, and appropriate noncompete agreements (e.g., Is the CDMO restricted from producing the target product after the expiry of the supply agreement or patent?).
- Confirm that internal and external audits are sufficient for identifying evolving data-integrity issues.
- Confirm that your legal/audit counsel are taking a comprehensive approach to assessing evolving risks.
- Confirm that your data systems are FDA-compliant and don’t require potentially risky customization.
"In general, it is critical that drug sponsors recognize that they remain legally responsible in the eyes of the FDA for the activities of their contract organizations."
Barbara Binzak Blumenfeld, Ph.D., J.D., M.A.
QUESTIONS WHEN VETTING A CDMO
Barbara Binzak Blumenfeld, Ph.D., J.D., M.A., is a shareholder at the law firm of Buchanan Ingersoll & Rooney PC. She integrates science and bioethics into her legal practice and, as such, has developed extensive experience in the legal ramifications of data integrity as it pertains to pharma sponsors. She says that when vetting a CDMO most sponsors will assess the company’s overall regulatory compliance, but they need to focus specifically on data-integrity compliance issues as well. Key questions to consider include:
- Has the CDMO ever been cited for data-integrity problems in a Form FDA 483 following an inspection?
- Has the CDMO received a warning letter for such problems?
- Is the CDMO subject to a corporate integrity agreement that involves data-integrity matters?
- Has there been litigation against the CDMO that involved data issues?
- Does the CDMO have data-integrity SOPs, and how does it train its employees on data collection, management, and access issues?
“Moreover, in my experience, foreign CDMOs can present particular challenges for several reasons,” she says. “First, these entities may have limited experience with U.S. laws and regulations. Second, cultural norms and attitudes toward data collection, maintenance, and access can contribute to data-integrity problems, even if inadvertently. For example, is data integrity fostered locally, or does the foreign company operate with a ‘speed first’ approach that could result in data errors? Does the work culture — both in the foreign country atlarge and in the specific company in particular — foster an expectation of pleasing superiors, even if that results in data-integrity issues?” Although these questions should be considered prior to the engagement of any CDMO, they may become even more important when a CDMO is located far from the drug sponsor, where ongoing monitoring may be more of a challenge.
It’s also important to assess and audit the data collection, storage processes, and sharing/reporting procedures of a CDMO before engaging. Sponsors should keep in mind, however, that approaches to data collection and handling can be ingrained in local attitudes and practices, so intelligence gathering that extends beyond the existing SOPs and contracts is paramount.
Binzak Blumenfeld also agrees that sponsors need to be confident that the data, once obtained, is managed in the correct way — both by the sponsor itself and by the CDMO. That process requires initial assurance by the CDMO that it has controls in place for data storage and access.
“In general, it is critical that drug sponsors recognize that they remain legally responsible in the eyes of the FDA for the activities of their contract organizations,” explains Binzak Blumenfeld. “For example, as the FDA’s November 2016 Guidance for Industry on quality agreements for contract manufacturers states, ‘when an owner uses a contract facility, the owner’s quality unit is legally responsible for approving or rejecting drug products manufactured by the contract facility, including for final release. (www.fda.gov/media/86193/download)’ This is a critical point for all parties to remember [see: 21 C.F.R. § 200.10; § 211.22].”